Copyright © INTEROP TOKYO 2015 ShowNet NOC Team

BGP FlowspecInteroperability Test @

Interop Tokyo 2015ShowNet

ShowNet NOC Team memberShuichi Ohkubo

2015/7/17 JANOG36 Lightning Talk

Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 2

BGP Flowspec(RFC5575)• Distribute ACL configuration to network router by BGP

Normal ACL configuration&operation

BGP Flowspec

Login & configuration to each routers Too much work :( Easy to work together with security appliance

RR

BGP

Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 33

Use case

https://tnc2012.terena.org/core/presentation/41

GRNET NEO TELECOMS

http://media.frnog.org/FRnOG_18/FRnOG_18-6.pdf

Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 44

Use case

https://tnc2012.terena.org/core/presentation/41

GRNET NEO TELECOM

http://media.frnog.org/FRnOG_18/FRnOG_18-6.pdf

But there is no use case of

multi vendors

interoperability

Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 5

Interoperability test topology @ShowNet2015

Cisco ASR9900

Huawei NE5000E

Juniper MX480Spirent TestCenter

TestCenter

Proceeded Packets

BGPFlowspec

vMX

Route Generation

TestCenter

Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 66

Test result BGP Flowspec Action ruleTest Item NE5000E ASR9900 MX480

Drop ○ ○ ○

Rate-limit ○ ○ ○

VRF Redirect ○ ○ ○

• Configure rate-limit=0 for Drop action

• Rate-limit: Confirmed by measuring the receiving rate to limit 100Mbps

against sending 1Gbps traffic from TestCenter.

• Redirect :confirm interface counter on 3 routers and monitor latency for

received packets by Spirent TestCenter

Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 7

VRF Redirect

• Confirmed by measuring packets latency after redirecting (it’ not caused

by degradation of forwarding functionality of the router)

• ASR99xx took about 10 sec for processing after Redirection action rule

injection. In case of withdrawn, the change was immediately reflected to

the forwarding process.

• It depends on BGP Next-hop Scan Timer(configurable)

Late

ncy

Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 8

Rate-limit

Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 99

Test result by Flow typeFlow type NE5000E ASR9900 MX480

Type 1 - Destination Prefix ○ ○ ○

Type 2 - Source Prefix ○ ○ ○

Type 3 - IP Protocol ○ ○ ○

Type 4 - Port － － －

Type 5 - Destination port ○ ○ ○

Type 6 - Source port ○ ○ ○

Type 7 - ICMP type ○ ○ ○

Type 8 - ICMP code ○ ○ ○

Type 9 - TCP flags ○（Different NLRI） ○ （Different NLRI） ○

Type 10 - Packet length will support in Next release ○ ○

Type 11 - DSCP ○ ○ ○

Type 12 - Fragment －（Different NLRI） ○ ○

Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 1010

Difference NLRI formatType9. TCP Flags

0x01202d00023602202d00022a0900028010

0x01202d00023602202d00022a098112

Dest /32 45.0.2.54 Src /32 45.0.2.42 TCP

Flg.

Dest /32 45.0.2.54 Src /32 45.0.2.42 TCP

Flg.

Bit

mask

op

op Bit

mask

op Bit

mask

0x10 ACK0x02 SYN

0x12

ACK-SYN

Juniper

Cisco

Configure syn+ack

Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 1111

Difference NLRI formatType9. TCP Flags

ASR receive NLRI but does not work as expected

Cisco provide special firmware during the Interop period

, confirmed work as expected (It’s already integrated in 5.3.2 as CSCuu79956)

Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 1212

Difference in Match bit Type9. Type12.

op=0x80

op=0x81

0 1 2 3 4 5 6 7+---+---+---+---+---+---+---+---+| e | a | len | 0 | 0 |not| m |+---+---+---+---+---+---+---+---+

1 0 0 0 0 0 0 0

0 1 2 3 4 5 6 7+---+---+---+---+---+---+---+---+| e | a | len | 0 | 0 |not| m |+---+---+---+---+---+---+---+---+

1 0 0 0 0 0 0 1

NE5000E treat as Invalid m=0

Juniper

Cisco, Huawei Huawei will support in future

（support m=0）

Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 1313

Operation example on ShowNetAlways seen SSH Brute-force attack

to Shownet

Execute filtering by BGP Flowspec

1. permit TCP Port 22 from specific server 2. drop 45.0.0.0/16 TCP Port 22,23

order of evaluation is important

Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 1414

Need additional command for JUNOS

By default, the Junos OS uses the term-ordering algorithm defined in version 6 of the BGP flow specification draft. In Junos OS Release 10.0 and later, you can configure the router to comply with the term-ordering algorithm first defined in version 7 of the BGP flow specification and supported through RFC 5575, Dissemination of Flow Specification Routes.

Best Practice: We recommend that you configure the Junos OS to use the term-ordering algorithm first defined in version 7 of the BGP flow specification draft. We also recommend that you configure the Junos OS to use the same term-ordering algorithm on all routing instances configured on a router.

set routing-options flow term-order standard

http://www.juniper.net/documentation/en_US/junos14.2/topics/topic-map/bgp-flow-routes.html

Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 15

Simulate AttackerWeb Server(victim)

DDoS Mitigation

Cisco ASR9900

Juniper MX480

DDOS detection

order to BOT

GEIKO:C&C

order to BOT

①

Route-Reflector

DDoSAttack

DDoSAttack

Juniper vMX

Huawei NE5000E

flowspecAdvertise ②

Combination demo with SAMURAI

③

♪Normal Traffic

Attack traffic: scrubbed. Normal traffic: sent back to destination.④

VRFRedirect

Traffic information(xFlow)

Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 1616

Special ThanksWe appreciate a lot of support

Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 1717

Appendix

Copyright © INTEROP TOKYO 2015 ShowNet NOC Team 1818

Software Version• Huawei NE5000E 8.65• Cisco ASR9900 IOS-XR 5.3.1• Juniper MX480 Junos 15.1R1.8